Having been sold a C|EH boot camp on the basis that I would be learning the theory & skills to become a Penetration Tester at considerable cost to myself (~$4,500) I am now somewhat bemused

As it turns out I was taught 20-something modules of the v6 course's 67 modules because that is what is in the exam and was expected to learn the rest myself. When I do study the rest of the modules they are filled with as many obsolete tools as they is obsolete/irrelevant information.

I now basically have to shell out more money on something like an OSCP to get any validity. C|EH is cool to tell you friends about but of limited commercial value.

The general opinion, in our traditionally British way which, was backed up by my fellow Czech and American delegates:

a) That EC-Council jumped on the back of the 911 band-wagon and are only interested in making money.b) The guys on the E|CSA course said you could pass it with C|EH knowledge. So why run the course ? The LPT is a license to print money with $500 for no additional input other than another certificate.c) The fact that there was potentially offensive pornographic material on the v6 DVD was totally unacceptable!

The relatively newly introduced and well hidden requirement to maintain your certification by, one way or the other, lining the EC-Councils pockets doesn't help. This is exacerbated by the fact that by the time I have actually learnt enough to become an 'Ethical Hacker' I would no longer be certified as one.

If you want 'security professionals' how about providing real-world relevant information that will actually help you protect your companies/clients data and reputation?

I am under no illusion that any certification will lead you into a job and, furthermore, understand that I need to go out and learn the techniques and information to be an Ethical Hacker and stay relevant. So other than a certificate and a car sticker what did I get for my money?

I still would not be able to get a job as a Pen Tester?I still have little direction as to what I need to do to become a Pen. Tester other than become a genuine hacker, apply for some jobs and hope for the best?Shouldn't training be about the dissemination of information and the de-mistifying of the Hacker myth?

Is there another body who I should have spent my limited time and $$s on? If so, how do people like the EC-Council survive and shouldn't people within the industry take a stand to ensure that they either improve or disappear? If not, shouldn't places such as this or SANS be instrumental in instigating such a body/training?

Rant & Moan over

p.s. I hope Don doesn't censor me as it is simply an honest opinion/observation.

Certainly some bold comments in there, considering the company of this website. Let me see what all I can answer...

Having been sold a C|EH boot camp on the basis that I would be learning the theory & skills to become a Penetration Tester

The CEH will certainly not make you a penetration tester and is not even advertised as such by EC-Council. If this is how the course was sold to you, then that's exactly what it was - a training center "selling" it to you.

As it turns out I was taught 20-something modules of the v6 course's 67 modules because that is what is in the exam

Correct me if I'm wrong, but you just stated you attended a "boot camp," which by definition is to prepare you for the exam. Most people will give you advice that you should be familiar with the material prior to attending a boot camp, for the exact reason just mentioned. It would be nearly impossible to make it through 67 modules in a week-long course.

the rest of the modules they are filled with as many obsolete tools

I've not seen the v6 courseware, but I'll take your word for it. The CEH is meant to be an overall introduction to ethical hacking. To properly understand how everything works, you need to study the history as well. You need to start somewhere, and sometimes that means understanding older tools and older vulnerabilities.

EC-Council jumped on the back of the 911 band-wagon and are only interested in making money.

EC-Council did form some new things around then, but so did many other organizations as security was brought to the spotlight of everything we do. They are certainly not only interested in making money, they are interested in advancing the information security community.

The guys on the E|CSA course said you could pass it with C|EH knowledge

I will agree to this on an extent. You need to have further, in-depth knowledge of the tools to pass the ECSA. Can this be done with CEH knowledge, certainly! If you've used the tools enough to know how to use them and how to understand the output. I've always said the ECSA is more of an extension to the CEH than a separate certification. It focuses more closely on specific tools rather than giving you the broad overview the CEH includes.

The LPT is a license to print money with $500 for no additional input other than another certificate.

The LPT also performs small background verification to make sure you have no criminal record and that you are a trustworthy person. In addition, you have to take the LPT course (or the ECSA/LPT course) to learn not only the business aspect of penetration testing but also the proprietary LPT testing methodology. Hopefully the LPT will require a practical exam soon as well.

The fact that there was potentially offensive pornographic material on the v6 DVD was totally unacceptable!

I absolutely agree. Please send me a pm with the specific information in regards to this and I will follow-up on it with EC-Council to make sure it gets taken care of.

The relatively newly introduced and well hidden requirement to maintain your certification by, one way or the other, lining the EC-Councils pockets doesn't help

Again, you're missing the point. This is not to make money for EC-Council. This is to gain accreditation for the EC-Council certifications, thus increasing their value. They are currently striving to earn the ANSI accreditation so that they can also conform to the US DoD/IA standards. Part of ANSI requirements is to have a continuing education program. If anything, you should be happy about this as it should increase the value of your certification.

If you want 'security professionals' how about providing real-world relevant information that will actually help you protect your companies/clients data and reputation?

I've said this many times, but it really depends on the instructor of your class. If you get a great instructor, they will go above and beyond the CEH material to bring more real-world experiences to the classroom. If you have a bogus instructor, they'll follow the slides/labs and not really add anything to it. Again, the goal of the CEH is to get you acquainted with the world of hacking, not make you a professional penetration tester.

I am under no illusion that any certification will lead you into a job

Absolutely correct.

So other than a certificate and a car sticker what did I get for my money?

Hard to say without knowing your background and what sort of experience you have. But there must have been something about the CEH that interested you. Surely within 67 modules there would have to be something there that you didn't know before.

I'm not trying to directly attack you or any of your comments, so please don't take my reply in that way.

Certainly reply with any further comments and I'll do my best to answer anything I can.

I had followed the advice given on this site by Don back when I was first enrolling in the CEH. He said "ask for the courseware ahead of time." So I did just that and received the books in plenty time ahead of the class that I was able to read all the books and complete all the labs.

Come to find out, the instructor did nothing further. He walked through the instructor slides and took hour breaks (breaks!) to let everyone do the labs. I was super disappointed and felt similar to what you're feeling - that I just wasted a whole bunch of money on a class I would have been fine without (having just the courseware).

I didn't let it get me down though. I took the additional time to focus on what I somewhat already knew were going to be the important tools. I spent more time working in my virtual lab at home and looked down the road to the future. I look back at it now as an investment in myself. Take what you have learned from the course, and make use of it. Go further on your own and push yourself to learn the new stuff. After all, you are a certified hacker now - shouldn't you be resourceful

You'll get what you put in, and sometimes you just need to put in a little more to get a lot back.

I think that the main point of CEH is to teach how to think like a hacker and a pen tester. The course is not designed to make you a pen tester, much less a hacker. What it should give you is an offensive mindset and the desire to further your knowledge on your own.

I define "hacker" as someone who thinks outside the box and solve a problem in a way that is creative and perhaps not common. The reason hackers penetrate a box is not because they were talk how to do exactly, but because they were taught how to think differently from the programmer that created the software running on the box.

If you learned how to think offensively and differently as a result of the CEH course, it's well worth the money.

The CEH is positioned in the certification arena just like the Cisco and MS credentials. It is licensed and available to authorized training centers. That being said, many sell the course in a way that is inproper, and the instructor makes all the difference in the world. So one person can have incorrect expectations that are even more blown out of proportion by a bad instructor. On the other hand, another person can have proper expectations on what the course entails and those are surpassed by a great instructor. Such is the game. GIAC certs are less well known but when you take a SANS course, you pretty certain you'll have a top notch instructor.

As BillV mentioned, I recommend not only requesting the courseware before you arrive but also find out who the instructor is. Google the instructor's name. If you are not satisfied, reschedule. That is in your power as the customer.

Also in your power is to ask for a refund, be rescheduled and/or report them to the BBB (Better Business Bureau). It might also be helpful and might even be rewarded if you report the traininf facility to EC-Council. It helps every organization to know what their channel is doing or not doing to help the name of their products.

I can relate on this. I took my first CEH course in college, and it was BAD. Like really horrible. Outdated tools, bad instructors, and horrible course content. Then i took CBT nuggets course which was better, but not great, and VTC's training which was BAD too. (i capitalize bad for a reason)

When i looked further into it I realized there were two kinds of CEH courses. The first being to certify you, prepare you for a test that is shallow, outdated, and boring. The second was to actually teach you something.

Courses for this stuff is very limited in Europe and hence you don't always have the choice of re-scheduling if you don't like the look of the trainer let alone have the option of looking at a Sam Browne/Infosec course. This isn't especially great even if you want to attend a SANS event as they are much fewer and very expensive.

The reason I chose a boot camp style training course is due to lack of available time rather than just to get a few more letters after my name. I have a real-world job in Formula 1 and hence spend vast amounts of time travelling and when I am in the UK I am developing/fixing stuff before I go away again. Trying to find a week to do some training is hard enough....

However, my trainer was interesting and tried to inform us about stuff outside the course but all it made me do was question the course materials relevance. We were also informed that EC-Council was formed just after 9/11 and in reaction to it.

Also here is an extract from the v6 'Brochure' on the EC-Council website

Course Description:This class will immerse the student into an interactive environment where they will be shown how to scan, test,hack and secure their own systems. The lab intensive environment giveseach student in-depth knowledge and practical experience with the current essential security systems.Students will begin by understanding how perimeter defenses work and then be lead into scanning and attackingtheir own networks, no real network is harmed. Students then learn how intruders escalate privileges and whatsteps can be taken to secure a system. Students will also learn about Intrusion Detection, Policy Creation, SocialEngineering, DDoS Attacks, Buffer Overfl ows and Virus Creation. When a student leaves this intensive 5 dayclass they will have hands on understanding and experience in Ethical Hacking.

Was it really the training company that set my expectations from the course ?

My introduction to "Ethical Hacking" was through CEH v5 and thought it was a great class. The instructor added his own "real world" content and the last 1/2 day he put together a capture the flag. He focused on the best tools for the goal and skipped the others. It was great.

On the other hand, I decided to take the v6 version of the class. The proctor (he didn't instruct) read the slides and, since it was his first attempt at v6 failed at the timing, didn't cover the necessary material. There was no capture the flag so I'm not sure how I could say that I could do more than download and install the 50 + tools covered.

Based on the discrepancies with my two experience, I'm not sure whether the first instructor saw the shortfalls of the class and decided to make it something more that it was intended to be or the v6 instructor was just bad (or a combination of both).

With that being said, I then got introduced to the SANS courses through this site. I was never a big fan of SANS for multiple reasons but based on what I was reading I thought I would give it a try. I first took 504 and am currently in 560. Not even considering the difference in the quality of instructors (don mentioned this earlier) the quality of the classes definately outweigh the ~x2 the price. The courseware is actually usable; not only throughout the class but as a resource when you go home. In these classes there is also a capture the flag, at the end, that isn't trivial. Though these are team events, you will be able to guage your abilities when you walk away. Based on my experience, these classes are definately newer but, hands down, more mature compared to ec-Council.

Though I haven't experienced it, SANS at home is said to be pretty good for those that don't have direct access to a SANS event.

I found this blog interesting. As a GIAC and a CEH, let me try to provide my personal opinion.

The tools present in the CEH DVDs are not authored/owned by EC-Council. They are doing a wonderful job of searching latest tools/exploits in the wild and sharing with the community for research purpose. To call them moeny crazy is appalling. The US Army has mandated the CEH for a very long time and my unit has 6 CEH's !

I have personally seen lot of hacking tools on the Internet that have obscene images in their GUI. The hacking tool referred here cannot be termed as a pornographic material. Images of Girls in bikini swimsuit on the GUI of the tool hardly make it as porn... if it did South Beach Miami must be the biggest porn infested location stateside

I hope you read the disclaimer on the CEH DVD's.

"The tools/exploits are distributed as it is found in the wild. These are purely for research/educational purpose. One should not get offended viewing such images"

I wonder if anyone actually wrote to EC-Council ? They seem to have an excellent customer service and respond to email within 24 hrs.

Now, as far as the training goes : I was part of many in a hotel location to get my GIAC. Good trainer but they could hardly focus on everyone as there were too many in the location. 2 huge screens and a fast moving instructor. I had to bring my own laptop and there were no tools whatsoever like in CEH. Nothing bad but it was not for everyone. They will not spoon feed you.It was expansive !

CEH was in a location in NYC. 8 students in a class with an excellent Instructor. He was an EC-Council Master Trainer.He had a tremendous amount of knowledge and we got very personal attention.where .It may not be a bad idea to look out for classes by EC-Council Master Trainers .

I'd have to agree with don and the others, in support of EC-Council. When I took my CEH, I had already done self-study through their materials (both EC-Council text and third party CBT's, etc.) I went ahead and went to a boot camp, more or less to supplement my learning, and to give myself just a little more time with everything.

While my instructor told us very honestly, on day one, that his main purpose was to get folks to pass the exam (the goal of ALL 'boot camps' in IT,) he also went out of his way to set aside time, both before, after and during down time in each day's class, to cover real-world knowledge, usage and tools. He gave very relevant information, and has stayed in touch with many of us, since the class ended. You have to realize, much of a boot camp lies in the quality and education / training of it's instructors. Additionally, you gain contacts in other parts of the industry, with which to spread and share knowledge afterwards, having a common base point to work from. I can't count how many times those contacts have paid off for me, as you'll always have folks to go to, who specialize in different areas of pentesting, code review, etc, and whose knowledge comes in really handy, on short notice. Here, on EH-net, we can benefit from the wealth of knowledge and experience of other members.

But even poorly run boot camps can still result in good opportunities. This IS my opinion, and is shared by many I work with. Boot camps offer more than simply training, and although their primary focus is 'certification' and test passing, much can be still be garnered from them, if taken with an understanding that they are, in fact, boot camps.

All of this aside, I'd urge you to contact the provider of the boot camp. Express your honest feelings to them, regarding what you feel you gained or didn't gain, from their training, and try to help them make their offerings better. Even if you don't feel technically able to 'better' the training (if you don't feel like you've attained knowledge of a 'master hacker / pentester,) you can certainly offer advice to help them grow their offerings. While there's no guarantee of change, all we can do is work to better the community, and our opportunities, as a whole.

Thank you, however, for your opinions, and I hope you move forward with your pentesting / security opportunities!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I am very unhappy with my CEH certification. First, there is no customer support once you are certified, we got your money so ha.ha.ha. Horrible website and never been able to get valid logon. CISSP IS2 website is very helpful and they have support for certified individuals.

My instructor new the material but come on we hacked Windows boxes with no security patches, no firewall, etc...piece of cake. I agree tools taught and used were old versions and vulnerabilities on Windows come on Administator with password: password. I guess there could possibly be boxes out there like this but not if compliant with any regs. Only hacked on Linux and that was with efax vulnerability. Certainly did not prepare me for CPT.

Sorry I didn't decide to get a different certification, will not be going for any other eccouncil certifications or recommending to anyone else.

Certainly respect your opinion, and I do understand where you're coming from. I haven't had the 'best' of luck, contacting EC, but when they have responded, they've always been very helpful, to the point of getting me what I need. They also JUST recently fixed my login to the portal, so that I can now play 'catch-up' on my continuin credits to maintain it.

Also, I wouldn't 'write it off,' completely. While I fully understand your comments, as I'd noted in my last post, sometimes it's not always about the certification, but about what you take away from the experience, as well as what you can contribute, to make it (and the community) better.

I don't hold my CEH as my topmost 'security certification.' In fact, having obtained some others (most recently my OSCP,) CEH falls way down on my list of the security certifications that I hold, in terms of the value I took away from the course. But... it IS being looked at more closely, these days, by the DoD and other agencies, as a necessary cert to achieve certain positions and statuses, and if you'd ever want to work with those agencies or even contract into them, you'd very likely be checked on having it, at which point, there would a strong possibility you could be overlooked for someone else, who DID have the cred (assuming you didn't.) Does that make it more or less valuable? Not to those who truly know and understand, provided you can show your value without the cert. Many of us, on this forum, understand. Just as the review on the eLearnSecurity training called it a 'CEH Killer.' That view is because it DOES make you attack more than simply basically vulnerable machines or apps, and teaches you a bit more. But there is value in having the CEH, nonetheless. I look at that cert, more, as a methodology primer, and introduction to things like OSSTMM and rules of engagement, etc.

Again, at least my bootcamp instructor was very outgoing, and told us at the beginning, that the bootcamp was designed to pass the course. But what you need to understand is, that with ANY course or certification, each is inly a base point for your continual growth and development.

My opinion, anyway...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I think the real problem is that we compare all these certifications, along with their respective training. In my own humble opinion, Offensive-Security raised the bar a lot and other certifications/courses have an hard time competing with them. I think everyone will agree with me that OS:

- Answer email very quickly- Have a course that will challenge everyone- Have a courseware that is usable in real life- Is cheaper than almost all other certs/courses- And last but not least, you feel you have learned a lot once you get it!

In my opinion, CEH ranks lower than OSCP and SANS courses for most of the above points. I personally had to registered twice for the exam, NEVER got an answer from them (emailed and called many, many times!) and I had an hard time figuring out what was going to be in the exam.

dcindy8 wrote:CISSP IS2 website is very helpful and they have support for certified individuals.

Just out of curiousity, what kind of support do you want or need. A certification unlike a tangible item (software, hardware) doesn't need anything so I'm curious to know, outside of a horrible website design, what support do you need. My bank's website has horrible support, yet I deal with it on a daily basis.

dcindy8 wrote:My instructor new the material but come on we hacked Windows boxes with no security patches, no firewall, etc...piece of cake.

Blame the instructor. I wrote about the C|EH and its overuse of tools almost two years ago and debated with industry heavyweight Clement DuPuis over it. My two cents were that the exam was trying too hard to cover too many tools and not enough content, I still stick with this but at the end of the day, what you do with what you've learned is what matters most. One can get a decent amount of security coverage from the content for an intro hacking job, An expert it will not make anyone. http://www.professionalsecuritytesters. ... le941.html

dcindy8 wrote:Certainly did not prepare me for CPT.

Two different ballgames. The C|EH is not and was never meant to make you a pentester, it was solely meant to introduce you to tools and concepts behind them. So sure there are a kabillion tools referenced by EC-Council, the fact is, some of the older tools are better than the newer ones, you're supposed to get an introductory view of what different tools and why they do the things they do.

As for comparing the C|EH to say the OSCP or even CPT is like comparing the mechanic to the auto engineer. Two different roles. C|EH is an introductory certification, it will not make you an uber-anything but if you (mis)use the information properly, it will give you a strong introduction into security tools and methods hackers might use. It gives you a guideline on how to proceed. OSCP is an introductory to mid-level pentester that enables you to understand what happens, how to use available tools and create intro tools. CPT is for the mid-level to advanced pentester that assumes you've worked with tools and enables you to effectively use a variety of tools while introducing you on how to write your own tools. And the CEPT is for the advanced pentester who will write their own tools, break software on their own, etc.

The CPT *can* be compared to the OSCP to some degree and opinions will differ on which is better. For the OSCP, you have to break into N amount of machines to become certified. This is done with tools, certain methods followed by a write up. Usually and I don't have statistics to go by, I want to say about 90% of the people pass with tools available on Backtrack without building their own. For the CPT, I had to write my own code to create an overflow just to get by one of the machines which is a step above the game from the OSCP because there wasn't any tool to work with. There was zero exposure visible on compromising the machine to go by. On the contrary, the machine was hardened to an extent, yet even with SELinux on it, I got by. The CEPT was filled with many programming questions, so unless you're comfortable with Assembly and programming, you'll be a deer in headlights.